Android Dolphin, Mercury Browsers Vulnerable to Remote Attacks

A number of Android vulnerabilities have made headlines in recent weeks. Back in July, news first broke about “Stagefright,” a bug that allows an attacker to remotely execute code using a specially crafted MMS. At around the same time that Google announced patches for this vulnerability, at least one of which has been shown to be ineffective, researchers uncovered another flaw that attackers could use to render an Android device unresponsive.

Android has clearly had its fair share of publicity this summer; recent developments suggest that attention won’t be shifting away anytime soon.

Over the weekend, a security researcher by the name of Rotlogix discovered that two popular browsers for Android are vulnerable to remote attacks.

In a post published on his blog, Rotlogix explains how an attacker can compromise the Dolphin Browser for Android:

“An attacker with the ability to control the network traffic for users of the Dolphin Browser for Android, can modify the functionality of downloading and applying new themes for the browser,” the researcher states. “Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user’s device.”

Android Dolphin

Rotlogix exploited this vulnerability in the browser, which sports nearly 2.3 million downloads on Google Play Store, by proxying the download traffic and injecting a modified script that could be used with mitmdump. Referring to the work of others in exploiting a browser theme’s unzipping process, the researcher was then able to locate a library libdolphin.so living inside the files directory, to which he was able to write his theme payload. This code execution subsequently overwrote the library and ultimately allowed for the successful use of a netcat listener.

“The only user interaction this requires is selecting, downloading, and applying a new Dolphin Browser theme,” explains Rotlogix.

But that’s not all he found. While exploring the Mercury Browser for Android, which has approximately 16,500 downloads on Google Play Store, the security researcher discovered that the browser suffers from an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. These two vulnerabilities, Rotlogix explains in a blog post, can be chained together via invoking the WiFi Manager Activity with the Intent URI scheme using a crafted HTML page, capturing the target device’s IP address, and polling until receiving notice of the Activity invocation until finally exploiting the path transversal vulnerability. This chain of events allows a remote attacker to exfiltrate files from the browser’s directory.

Android Mercury

As of this writing, both the Dolphin and Mercury browsers are still vulnerable to the attacks described above. Rotlogix therefore recommends that users uninstall the browsers and choose an alternative until both Dolphin and Mercury have been patched.